Long before the federal government passed the Personal Information Protection and Electronic Documents Act (PIPEDA) at the start of 2004, BMO Financial Group discovered security and privacy were closely connected in the minds of the firm’s customers.

Companies must take the protection of personally identifiable information seriously because customers see privacy and security as a matter of trust, said Marjorie Shield, director of the privacy office for BMO Financial Group in Toronto.

People trust companies to protect their private information and if security processes don’t do that, customers will not trust those companies again. Even before PIPEDA was passed, BMO Financial Group already had in place a range of security measures to protect customer data, Shield said. Security, which was trapped in a technical domain, is now a tangible business problem.Vivek Khindria>Text

What PIPEDA did was move attention away from looking at security as a technology issue, to looking at security as an issue about data and the controls around data, she said.

“One of the requirements under the privacy legislation is to know what information you have, what it is being used for, who is accessing that data and then making sure that anyone who is accessing that data is doing so on a ‘need-to-know’ basis,” she explained.

Given that BMO Financial Group has a wealth of sensitive financial and personal information, the company used PIPEDA to help it look more closely at its data and controls. BMO mapped out its data to see what type of information the company stored. Then the firm classified the data according to its sensitivity to create the controls around how data could be accessed and presented.

Vivek Khindria, department manager for security practices and technology with BMO Financial Group in Toronto, said that by mapping and classifying the data, the company determined which controls were needed and how the data should be accessed.

For example, the firm could set stricter controls over accessing customer data if it involved accessing the customer’s social insurance number. Controls could be eased if the social insurance number was removed. “This challenge is much more in the information management space than in the traditional security, firewall and encrypt space,” Khindria added.

Khindria said PIPEDA has helped companies understand that security is not just a technology-driven process, but something tied to overall business processes. For BMO Financial Group, it was about the protection and integrity of customers’ personal information.

“The (personal) data is what customers are entrusting us with,” Khindria explained. “They are entrusting us with data about their financial positions, credit ratings, financial portfolios, what they bought last Saturday.”

It has also changed the way people speak about security, moving it away from technology. “Security, which was trapped in a technical domain, is now a tangible business problem,” Khindria said. “Businesses understand (security) language in terms of privacy more readily, but when you start to talk about ports, firewalls and bits and bytes, it is harder for the business to understand what is the business problem around (security).”